Energy Security Pros May Overestimate Their Ability To Detect a Breach, Suggests Survey

A survey recently published by Tripwire reveals that 86% of energy security professionals believe they can detect a breach in less than a week, leading some to wonder whether this confidence is misplaced.

Conducted by Dimensional Research, the survey examined the views of over 400 energy executives and IT professionals in the energy, oil, gas and utility industries on cybersecurity and compliance initiatives.

Some of the key findings of the survey include the following:

86 percent of security professionals believe they could detect a breach in less than one week, with 49 percent of all respondents subscribed to the idea that their organization could detect a cyberattack on a critical system within 24 hours.

61% of energy executives claimed their organization could detect a critical system breach in less than 24 hours.

These levels of confidence notwithstanding, Mandiant’s M-Trends 2015 report has revealed that the average time required to detect an advanced persistent threat on a corporate network is 205 days. Additionally, in the 2015 Data Breach Investigations Report, whose key takeaways can be found here, Verizon reported that two-thirds of targeted attacks generally took months to detect.

This apparent gap in understanding is especially significant given an analysis earlier this year that found that the United States’ power grid experiences targeted attacks, both digital and physical in nature, every four days.

Mark Weatherford, principal at The Chertoff Group, has an explanation for why energy security professionals’ confidence might be so high despite these and other contrary pieces of research.

“Cybersecurity within energy companies is stronger than it has ever been, yet growing bodies of evidence indicate that it’s still far too easy to compromise the energy infrastructure,” said Weatherford. “Confidence at the executive level is certainly critical and necessary for success, but over-confidence can lead to a potentially dangerous false sense of security. Interestingly, a survey conducted last year by the Ponemon Institute found that 31 percent of 160,000-plus IT security professionals in 15 countries never speak with senior company executives, which might explain why Tripwire’s survey found that energy executives have such a high level of confidence in their organization’s ability to detect a critical systems breach. Therefore, it’s a legitimate question to ask if executive confidence is misplaced.”

This lack of communication between IT security professionals and senior company executives lead to some negative outcomes, including a lack of appreciation for the risks confronting organizations in the energy sector.

As explained by Rekha Shenoy, vice president of business and corporate development for Tripwire, “Cybersecurity in the energy industry is focused on protecting the availability and reliability of the critical infrastructure on which our nation relies. The good news is that energy organizations are increasingly aware of cybersecurity risks and are investing more resources into reducing these risks. The bad news is that many of these organizations are still underestimating the sophistication, persistence and evasive technology of the attackers who are targeting them. The reality is that most organizations need a continuous view of their entire attack surface in order to detect a breach quickly and respond before damage is done.”

Without expanded threat intelligence, as recommended by Shenoy, organizations are also undervaluing the technology they need to adequately detect a breach without causing too much harm to an organization.

“One of the scarier aspects of this is that in most cases there are no detection, forensic or analytics capabilities deployed in industrial segments of these networks, so the only way to detect if there has been a breach is when there is a system failure,” observes Ken Westin, senior security analyst at Tripwire. “It is difficult to secure what you can’t see, and in some of these industrial networks, there is a real challenge in identifying anomalous behavior as it is difficult to identify what a ‘threat’ looks like in some of these systems. This is changing as more security standards are being deployed, but it will take a long time to see this widely distributed.”

Clearly, in order to develop a better appreciation for the technology used by attackers and for the tools necessary to defend one’s networks, it is crucial that executives and IT security professionals develop better communication practices going forward. For a list of expert recommendations on how security professionals can begin this process and improve their boards’ and executives’ cyber literacy, please click here.

The findings of this survey are consistent with another study conducted by Tripwire at the EnergySec 10th Anniversary Security Summit in Austin, Texas last fall, which found that just under a quarter (23%) of energy security professionals felt confident that their organization could detect a breach within 24 hours.

At the time, only 66% of respondents felt they could detect a breach within a week. The reasons behind this 30% jump in industry confidence in less than a year currently remain unclear.